Published in News

IOActive names and shames the “world’s most insecure” router

by on23 August 2016


Tiger Will Power is a security train wreck

IOActive has named and shamed what could be the world’s worst router and if what it claims is true, then it might be a collector’s item simply because it is so bad.

The BHU router, whose name translates to "Tiger Will Power" has more holes than Swiss cheese and is not just easy to hack, it practically invites hackers in for tea and biscuits.

The routers give the hacker a choice of four methods to bypass the authentication system all of which lead to the router's admin account.

An attacker authenticating on the router can use a hardcoded session ID (SID) value of 700000000000000 to gain admin privileges. The hacker does not even have to worry about spelling or dropping a zero because the router will accept any value and still grant the user admin rights.

If the hacker needs the admin’s SID all they have to do is look at the router's system logs thanks to a special URL found on the local network. If the user forgets to enter a valid SID, but tries to access the admin account anyway, the router will insist on generating a random SID value, and still allow the user access as the admin account.

The router opens the SSH port for WAN connections on each boot, meaning any attacker can access the SSH console from the Internet.

If a hacker wants to set up an account, "Tiger Will Power" will help. The router also rewrites the previous password for a built-in backdoor account named bhuroot, making sure to change any password the user might have set up for that account in a previous session. This account is created at every boot, meaning the user can’t disable it.

Another hardcoded URL lets attackers go one level above the admin user, and automatically authenticate as the root user.

But it is not just hackers who benefit from using this router. IOActive said the router's firmware contains a built-in version of the Privoxy proxy software.

The router diverts all the user's Web traffic through this proxy, which appends a JavaScript file at the end of each page from the URL: http://chdadd.100msh.com/ad.js. Privoxy is a proxy server designed to help users remove ads from Web traffic on private networks. BHU uses it to insert ads.

Last modified on 23 August 2016
Rate this item
(5 votes)

Read more about: